[Users] problems with SNAT/MASQUERADE

Sun Dec 20 07:53:02 EST 2009

I try use System V script:
http://wiki.openvz.org/Setting_up_an_iptables_firewall

It does'nt work for me to :(  May be, becouse old hardware node has
public ip, but test HN has private IP?

Please help. May be, anybody may print working configuration?

root at ovz-test2 ~]# ip r ls
10.0.5.44 dev venet0  scope link  src 10.0.5.128
10.0.5.47 dev venet0  scope link  src 10.0.5.128
10.0.5.46 dev venet0  scope link  src 10.0.5.128
10.0.5.41 dev venet0  scope link  src 10.0.5.128
10.0.5.42 dev venet0  scope link  src 10.0.5.128
10.0.5.0/24 dev eth0  proto kernel  scope link  src 10.0.5.128
169.254.0.0/16 dev eth0  scope link
[root at ovz-test2 ~]#

[root at ovz-test2 ~]# service iptables stop
Сбрасываются правила брандмауэра:                          [  OK  ]
Политика цепочек брандмауэра устанавливается в ACCEPT: raw [  OK  ]le filter
Выгружаются модули                                         [ СБОЙ ]
[root at ovz-test2 ~]# service firewall start
Starting firewall...
Firewall: Purging and allowing all traffic                 [  OK  ]
Firewall: Setting default policies to DROP                 [  OK  ]
Firewall: Allowing access to HN
          port 53                                          [  OK  ]
          DMZ 10.0.5.2                                     [  OK  ]
Firewall: Setting up container firewalls
          test-dns.local CT407                             [  OK  ]

[root at ovz-test2 ~]# iptables -t nat -A POSTROUTING -o eth0 -s
10.0.5.0/24 -j MASQUERADE
(becouse script does'nt add this rule)

[root at ovz-test2 ~]# iptables-save
# Generated by iptables-save v1.3.5 on Sun Dec 20 15:50:05 2009
*nat
:PREROUTING ACCEPT [10:754]
:POSTROUTING ACCEPT [212:12565]
:OUTPUT ACCEPT [208:12272]
-A POSTROUTING -s 10.0.5.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 20 15:50:05 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 15:50:05 2009
*mangle
:PREROUTING ACCEPT [2321:375849]
:INPUT ACCEPT [2198:364383]
:FORWARD ACCEPT [121:11298]
:OUTPUT ACCEPT [2277:407252]
:POSTROUTING ACCEPT [2398:418550]
COMMIT
# Completed on Sun Dec 20 15:50:05 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 15:50:05 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2252:404672]
-A INPUT -s 10.0.5.2 -i eth0 -j ACCEPT
-A INPUT -s 10.0.5.0/255.255.255.0 -d 10.0.5.128 -p udp -m udp --dport
53 -j ACCEPT
-A INPUT -s 10.0.5.0/255.255.255.0 -d 10.0.5.128 -p tcp -m tcp --dport
53 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.5.0/255.255.255.0 -d 10.0.5.47 -p udp -j ACCEPT
-A FORWARD -s 10.0.5.0/255.255.255.0 -d 10.0.5.47 -p tcp -j ACCEPT
-A FORWARD -d 10.0.5.47 -p udp -m udp --dport 22 -j ACCEPT
-A FORWARD -d 10.0.5.47 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 10.0.5.2 -i eth0 -j ACCEPT
-A FORWARD -s 10.0.5.0/255.255.255.0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Dec 20 15:50:05 2009

[root at ovz-test2 ~]# cat /etc/firewall.d/ve407
# This file is processed by /etc/init.d/firewall
CTID="407"                      # the container's ID#
CTNAME="test-dns.local"         # A human-friendly label for the container
CTIP="10.0.5.47"                # the IP address for this container
OPENPORTS="22 "         # ports that should be universally opened
                                # to the entire Internet
DMZS="10.0.5.0/24"      # IPs and blocks that should have full access
                                # to the container's services
BANNED=""                       # IPs and blocks that should be entirely
                                # blocked from the container's services

-- 
Galina Lisovskaya